WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency

The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis.

McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies.

Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill, as the energy it takes to mine a single bitcoin can cost from $531 to $26,170, according to a recent report.

The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims’ consent.

The following chart shows how the prevalence of miner malware follows changes in the price of Monero cryptocurrency.

Figure 1: The price of cryptocurrency Monero peaked at the beginning of 2018. The total samples of coin miner malware continue to grow. Source: https://coinmarketcap.com/currencies/monero/.

McAfee Labs has previously analyzed the cryptocurrency file infector CoinMiner; and the Cyber Threat Alliance, with major assistance from McAfee, has published a report, “The Illicit Cryptocurrency Mining Threat.” Recently we examined the Russian application WebCobra, which silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. McAfee products detect and protect against this threat.

We believe this threat arrives via rogue PUP installers. We have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.

This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects. We will discuss that detail later in this post.

Behavior

The main dropper is a Microsoft installer that checks the running environment. On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.

Figure 3: WebCobra’s installation window.

After launching, the malware drops and unzips a password-protected Cabinet archive file with this command:

Figure 4: The command to unzip the dropped file.

The CAB file contains two files:

LOC: A DLL file to decrypt data.bin

bin: Contains the encrypted malicious payload

The CAB file uses the following script to execute ERDNT.LOC:

Figure 5: The script to load the DLL file, ERDNT.LOC.

ERDNT.LOC decrypt data.bin and passes the execution flow to it with this routine:

[PlainText_Byte] = (([EncryptedData_Byte] + 0x2E) ^ 0x2E) + 0x2E

Figure 6: The decryption routine.

The program checks the running environment to launch the proper miner, shown in the following diagram:

Once data.bin is decrypted and executed, it tries a few anti-debugging, anti-emulation, and anti-sandbox techniques as well as checks of other security products running on the system. These steps allow the malware to remain undetected for a long time.

Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.

List of unhooked ntdll.dll APIs

LdrLoadDll

ZwWriteVirtualMemory

ZwResumeThread

ZwQueryInformationProcess

ZwOpenSemaphore

ZwOpenMutant

ZwOpenEvent

ZwMapViewOfSection

ZwCreateUserProcess

ZwCreateSemaphore

ZwCreateMutant

ZwCreateEvent

RtlQueryEnvironmentVariable

RtlDecompressBuffer

List of unhooked user32.dll APIs

SetWindowsHookExW

SetWindowsHookExA

Infecting an x86 system

The malware injects malicious code to svchost.exe and uses an infinite loop to check all open windows and to compare each window’s title bar text with these strings. This is another check by WebCobra to determine if it is running in an isolated environment designed for malware analysis.

adw

emsi

avz

farbar

glax

delfix

rogue

exe

asw_av_popup_wndclass

snxhk_border_mywnd

AvastCefWindow

AlertWindow

UnHackMe

eset

hacker

AnVir

Rogue

uVS

malware

The open windows will be terminated if any of preceding strings shows in the windows title bar text.

Coin mining malware will continue to evolve as cybercriminals take advantage of this relatively easy path to stealing value. Mining coins on other people’s systems requires less investment and risk than ransomware, and does not depend on a percentage of victims agreeing to send money. Until users learn they are supporting criminal miners, the latter have much to gain.

MITRE ATT&CK techniques

Exfiltration over command and control channel

Command-line interface

Hooking

Data from local system

File and directory discovery

Query registry

System information discovery

Process discovery

System time discovery

Process injection

Data encrypted

Data obfuscation

Multilayer encryption

File deletion

Indicators of compromise

IP addresses

5.149.249[.]13:2224

5.149.254[.]170:2223

104.31.92[.]212

Domains

emergency.fee.xmrig[.]com

miner.fee.xmrig[.]com

saarnio[.]ru

eu.zec.slushpool[.]com

McAfee detections

CoinMiner Version 2 in DAT Version 8986; Version 3 in DAT Version 3437

l Version 2 in DAT Version 9001; Version 3 in DAT Version 3452

RDN/Generic PUP.x Version 2 in DAT Version 8996; Version 3 in DAT Version 3447

Similar articles

The McAfee Advanced Threat Research team today published the McAfee® Labs Threats Report, December 2018. In this edition, we highlight the notable investigative research and trends in threats statistics and observations gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q3 of 2018. We are very excited to present to you new ...

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don't-get-it item on her wishlist that year. After fighting the crowds and scouring the stores to no avail, ...

Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims. Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can ...